In today's podcast we hear that there's no consensus, yet, on Bloomberg's report of Chinese seeding attacks on the IT hardware supply chain. Ukrainian fiscal authority sustains DDoS attack. GAO reports on cyber vulnerabilities in US Defense Department weapon systems. Xiongmai DVRs and cameras still exhibit bugs exploited by the Mirai botnet. Patch notes. And a lizard toe-dials from a veterinary clinic—he wasn't a patient; just visiting. Robert M. Lee from Dragos with insights on the Bloomberg hardware supply chain story. Guest is Stephen Cobb from ESET with results from their recent AI and ML silver bullet survey.
Dave Bittner: [00:00:03] There's no consensus yet on Bloomberg's reports of Chinese seeding attacks in the IT hardware supply chain. We've got Robert M. Lee from Dragos joining us to provide his take on the story. Ukrainian fiscal authority sustains a DDoS attack. The GAO reports on cyber vulnerabilities in U.S. Defense Department weapons systems. Xiongmai DVRs and cameras still exhibit bugs exploited by the Mirai botnet. We've got some patch notes. And a lizard toe-dials from a veterinary clinic - he wasn't a patient, just visiting.
Dave Bittner: [00:00:42] And now a word from our sponsor Wombat. When it comes to security, it doesn't matter how deep your moat is or how high your castle walls are if an unaware employee lowers the drawbridge for cybercriminals. Ninety percent of attacks now start with phishing and social engineering to gain access to systems and data. So educating your employees to spot and defend against these threats is more crucial than ever. Wombat Security, a division of Proofpoint, is the leading provider of information security awareness and training software designed to educate your employees to identify social engineering and protect your organization. Through phishing simulation and knowledge assessments, Wombat paints a picture of where your employees are vulnerable and changes their risky behaviors through highly effective interactive training. Born from research conducted at Carnegie Mellon University, Wombat's suite of training covers topics from phishing and social engineering to physical and office security and even compliance topics like GDPR. And now through an integration with Proofpoint's world-class threat intelligence, Wombat is leading the way with phishing simulations and content based on the latest emerging threats. Don't let cybercriminals into your castle. Transform your employees from risky to ready with Wombat Security. To learn more, visit wombatsecurity.com/cyberwire. That's wombatsecurity.com/cyberwire. And we thank Wombat for sponsoring our show.
Dave Bittner: [00:02:13] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 10, 2018. Bloomberg doubles down on its report of Chinese hardware supply chain seeding with on-the-record corroboration from Sepio Systems. Sepio is quoted as saying that it found the malicious implants in equipment belonging to one of its clients, a telecommunications company it can't name because of a non-disclosure agreement. AT&T, Verizon and Sprint told Bloomberg they're not affected. Motherboard reports that CenturyLink, Cox and Comcast also denied being the affected telco.
Dave Bittner: [00:02:54] Norway's national security authority also said, according to Bloomberg, that it has been aware of an issue with respect to Supermicro devices since June but that it couldn't confirm the specifics of Bloomberg's report. The U.S. Department of Homeland Security denied investigating the matter. But Bloomberg notes that the investigation mentioned in their report would be one conducted by the FBI. The FBI has declined to comment. There's no consensus yet as to whether Bloomberg's report is true, and the story is still developing. Apple has sent a strongly worded direct and detailed denial of the alleged incident to Congress. The U.S. Senate commerce committee is considering hearings on the matter. A little later in the show, we'll hear from Robert M. Lee from ICS security firm Dragos with his take on the Bloomberg story.
Dave Bittner: [00:03:44] Ukraine's State Fiscal Service has been under denial-of-service attacks since Monday. There's no attribution yet in the brief report filed by Reuters. But the attack continued through yesterday at least. The U.S. Government Accountability Office reported yesterday that investigation finds Defense Department weapons systems remain vulnerable to cyberattack. Connectivity and automation are important enablers of system effectiveness. But GAO thinks the Pentagon was, in effect, late to the cybersecurity party and is still playing catch up.
Dave Bittner: [00:04:17] Progress is being made, the GAO says. And it urges the Department of Defense to maintain its momentum. They suggest that the acquisition officials make more use of NSA in reviewing the cybersecurity of the systems whose development they oversee. NSA indicated to the investigators that they'd be willing and able to provide such support. Researchers at security firm ESET recently surveyed security professionals to gauge their attitudes towards AI and machine learning. Stephen Cobb is a senior security researcher at ESET.
Stephen Cobb: [00:04:51] In our survey, we found that a large percentage of larger companies have some form of machine learning they think in their endpoint protection products. A significant percentage are looking at AI machine learning as something of a silver bullet to really give an advantage not only in their protective capabilities but also in addressing this big problem we have with the cybersecurity skills gap - so well up into the, you know, 75 percent range looking at it as potentially improving their security and assisting them in their ability to cope with security with fewer people potentially. That's all very good.
Stephen Cobb: [00:05:38] Unfortunately, there's two sides to this, one of which is that machine learning and artificial intelligence are not protected technologies. They're things which malicious actors can use as well. And one of the interesting findings in our survey was although there's a lot of enthusiasm for AI and ML in security products amongst companies, there's also a fairly high level of awareness that there is hype around this, and also, an awareness that this same technology could be used maliciously, all right? So this was actually to me very encouraging that two-thirds of the people - and this was a survey taken across the U.S., the U.K. and Germany. Two-thirds thought that malicious use of AI would increase the number of attacks and also make those attacks more complex and harder to detect.
Dave Bittner: [00:06:37] Now, it's interesting that some of your results were that people had different views in the U.S. versus the European survey respondents.
Stephen Cobb: [00:06:47] Yes. It was very interesting. And I would characterize it like this. In the U.S., there's been more adoption of AI, ML solutions, more, I think, confidence based in those, more positive attitude - but also in the U.S., a higher awareness that it might be hype as well. In Germany and the U.K., the two other countries that we looked at, there was lower adoption, less fear that it might be hype. And so you have this sense that maybe in Europe, they're proceeding a little bit more conservatively towards the adoption of these technologies. And they may be - one could hypothesize they're doing a more measured approach.
Dave Bittner: [00:07:38] That's Stephen Cobb from ESET. You can find detailed results from their survey. That's on the ESET website.
Dave Bittner: [00:07:46] SEC Consult researchers have found critical vulnerabilities in Xiongmai Technology's widely used and inexpensive DVRs and security cameras. Krebs on Security complains that Xiongmai is effectively an internet polluter, spreading vulnerabilities like cheap sludge. The site points out that Xiongmai components provide the vulnerabilities that the Mirai botnet exploited and that unlike other manufacturers, such as Huawei, Xiongmai has done little - if anything - to fix its problems. SEC Consult gave up trying to get the manufacturer to patch. And Krebs thinks Xiongmai richly merits naming and shaming.
Dave Bittner: [00:08:25] We've got some notes on patches and upgrades. Intel's ninth-generation Core processors include hardware protection against two variants of the Spectre and Meltdown speculative execution vulnerabilities. Among the 50 or so Microsoft patches were fixes addressing Jet Database Engine bugs and a privilege escalation zero-day, actively exploited in the wild by the FruityArmor APT group.
Dave Bittner: [00:08:51] And finally, we ask, have you ever faced the embarrassment of butt dialing? We're asking you for a friend, of course. This happens when, phone in back pocket, you sit and inadvertently apply pressure to the phone in ways that cause it to make a call. Here's a similar issue a marine mammal veterinary clinic in Hawaii faced - foot dialing. The Ke Kai Ola Marine Mammal Center on the Big Island, known for taking care of monk seals, was issuing a bazillion phone calls the other day, as the Associated Press puts it. The bazillion recipients would answer, but there was no one on the line - silence, like a failed robocall from a telemarketer. Ke Kai Ola received many complaints to the effect of, why are you calling me incessantly?
Dave Bittner: [00:09:35] The hospital director, veterinarian Dr. Claire Simeone, came in to investigate the problem after receiving repeated calls herself. She found a gecko tap dancing vigorously on the touch screen of one of the facility's Polycom phones. As she tweeted, there is a gecko sitting on the touch screen of the phone making calls with his tiny gecko feet. This gecko has called me 15 times and everyone in our recent call list. No reptiles were harmed in the resolution of this story. The dancer was picked up and placed on a plant outside where he belongs. Hawaiian Telcom pointed out to Ke Kai Ola that this should never have happened because geckos are terrestrial lizards, not marine mammals. No evidence points to this being any kind of supply chain attack. It's just a case of happy feet.
Dave Bittner: [00:10:35] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at fakesecurity.com/cyberwire. That's fakesecurity.com/cyberwire. And we thank whomever it is for sponsoring our show.
Dave Bittner: [00:11:29] And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. Certainly, a lot of attention in the past week or so from this story that came out from Bloomberg Businessweek. This was "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies." I think as interesting as this story is - and it is interesting - is the sort of blanket denials that we've seen from the organizations mentioned in the story. I just want to check in with you on this. What's your take?
Robert M. Lee: [00:11:58] There's so many different elements to this story, which obviously and appropriately are concerning folks. One aspect of it is hardware supply chain hacks are something that we've long thought about and been concerned about. And it's extremely difficult to sort of work around them. But we haven't really seen a disclosure of a real one - we've seen counterfeit technology and stuff but not really a hardware hack.
Robert M. Lee: [00:12:25] But everyone's concerned about it. So hardware hacks are real, and we are concerned about it. But at the same time, the details of the story and sort of the background of the story really don't make sense. So there's been some folks that come out - you know, Joe Fitz is one of the folks who's been a - he's a hardware expert and well aware of what goes on with these pieces and also was a named source in the story of how these kind of compromises occur.
Robert M. Lee: [00:12:52] And, you know, when he and others that were actually involved in the story came out, they said, look. Nobody ever called me for fact checking. I actually disagree with the principle of some of that - you know, the story. A lot of the details don't make sense. We see blanket denials from these companies, which is not normal. It's normal to say no comment or whatever. But it's not normal to come out and vehemently disagree with it. If DHS came out and disagreed with it - we have, you know, Rob Joyce on Twitter, you know, previous White House cyber coordinator.
Robert M. Lee: [00:13:21] And still, the NSA comes out and goes, I don't know this is too accurate. I mean, it's unheard of to see so many strong rebuttals. And at the end of the day, these journalists are relying on, for the actual sensational piece, completely unnamed sources. And what's concerning here is this has a real impact not only on Supermicro, who their stock tanked as soon as the story came out, but also on all the people that use them. And they're an extremely widespread supplier. So lots of companies are scrambling around this. And to do that completely off unnamed sources, I think, is a little bit irresponsible, to be honest. And I guess there's two other aspects concerning about this.
Robert M. Lee: [00:14:06] Number one is the technical details are not sound, so they do not make sense together. So it looks like the reporters, even if they had the best of intentions, conveyed some of the details incorrectly, even the pictures that people were pointing to and go, oh, there's the chip. You know, those are made-up pictures of what they think it should look like. They're not actual pictures of compromised boards.
Robert M. Lee: [00:14:29] The second piece is - you know, and I think this is very close to an - you know, an ad hominem attack, so I want to be careful - but worthy to note that these reporters have covered three or four major sensational stories before that were deeply incorrect and based on anonymous sources that ended up not being accurate at all. So I don't think their intentions are misaligned. I feel that they're - they honestly believe what they're saying. But we've seen them be massively incorrect on technical stories before. They're the ones that pushed forward that the BTC pipeline in Turkey was hacked by the Russian government and it was a cyberattack that caused the explosion, although it's been easily debunked over the years that that was completely not true.
Robert M. Lee: [00:15:13] So to see all of this come up again, you know, I'm very hesitant to go with anything in the story. And I think, until there's some actual proof that comes forward, people should put this in the camp of hardware hacks are real, and we should think about them. But this story is likely inaccurate.
Dave Bittner: [00:15:32] It's interesting, as you mentioned, to see such a wide divide between those mentioned in the story and the reporters themselves. Bloomberg stands by the story. But as you said, it's just so unusual to see the vehement denials that we're seeing.
Robert M. Lee: [00:15:49] Well, it's also reporters that are coming out - right? - and saying how unusual aspects of the reporting are. So it's not just the technical experts, which is very important here. But, you know, there's been a number of really good reporters that came out and said, hey. Something's off. Like, Kim Zetter, who's easily one of the best tech journalists out there and has done this beat much longer than most, came out and said, look. You know, when I wrote The New York Times story, I had fact-checkers that had to go through every single one of my sources. And even your anonymous sources get fact-checked, right? I mean, just because they're anonymous doesn't mean that - no scrutiny. They just don't get named.
Robert M. Lee: [00:16:25] But nobody in this story that we're aware of got fact-checked. So the people that were named, like Joe, came out and said, look. Nobody ever called me and asked to fact-check this. So I think there's so many different aspects of the story that for a Bloomberg cover piece that was essentially going to massively hurt a company, it doesn't appear that the due diligence was done in a normal way from either tech or journalism standards to publish this piece.
Dave Bittner: [00:16:52] It also strikes me that, I mean, as soon as this was published, wouldn't the - the hunt would've been on to find one of these motherboards to be able to point to the chip on the board. And if the story - as the story says, if there are thousands of these out there, how hard could that hunt be?
Robert M. Lee: [00:17:07] Yeah. And so this is where we go back and forth on finding a compromised hardware is very difficult. And doing thorough analysis of it is very difficult because, again, the picture that they showed was a fake picture. So it's not like you could just go to the board and look for that little rice-grain-sized chip and look for it to be on the board because it's not the real one. What's - so the fact that thousands could be out there and go undetected, I can buy that. That makes sense to me.
Robert M. Lee: [00:17:38] But the fact that there was 30 companies that were in the know, or these multiple companies that were aware of this and knew what happened, that detected it, it doesn't make sense that of all of these companies full of people that were in the know, that everybody's keeping their mouth shut. I mean, it's a day and age where leaks are pervasive in any industry, especially in matters of intelligence and technology. And the fact that everyone's just, you know, super quiet right now and the companies that were supposedly willing to even work with the government to say, hey, this is a big deal, and we need people to know about it, are now coming out as saying, dude, that's not even close to true, that's where the story really doesn't hold water.
Robert M. Lee: [00:18:25] Now, we know there's more coming. So this is where Kim Zetter has again been extremely useful to the community in helping out and saying, look. Bloomberg is doing a series. So there's at least two more pieces coming on Chinese espionage. It'll be interesting to see what they say. But I don't know that the next stories are any less accurate because of this one or if the stories have anything to add to this one.
Robert M. Lee: [00:18:47] But at this point, nobody's going on the record. The people that were on the record said that their intent was not actually captured. The journalists that have covered this have shown before that they have trouble covering technical subjects. And nobody can find proof of anything. So it's - I think it's just too much to take the story on face value.
Robert M. Lee: [00:19:09] I think the takeaway should be that there are hardware hacks out there. Various state actors are absolutely trying to compromise supply chain. It is an extremely beneficial thing to be able to do. But it is much more difficult than people associate it with. And this is not likely the example that people should look to to show anything. And definitely, it appears that some wrong has been done to Supermicro.
Dave Bittner: [00:19:39] All right. Well, Rob Lee, thanks for your insights. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:19:52] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:20:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Wombat Security, a division of Proofpoint, is the leading provider of information security awareness and training software, designed to educate your employees to identify social engineering and protect your organization. Learn more at wombatsecurity.com.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.